Resist This NT Security Blanket

In early December, with the Dec. 31, 2004, end of extended support for Windows NT 4.0 Server looming, Microsoft made two key concessions to large customers. First, it will now offer custom support contracts for an additional year, through the end of 2006, instead of only through 2005 as previously promised. Second, those contracts will include fixes for "important" security flaws, not just the "critical" flaws Microsoft previously committed to fixing. (Microsoft has four ratings for security flaws in its products: low, moderate, important and critical.)

While Microsoft's move may make it tempting to keep Windows NT 4.0 systems around for a while longer, it's a temptation best resisted. Microsoft has good reason to stop supporting Windows NT 4.0, and it's not just to save support costs or drive license revenues. The company has been improving the security (as well as the reliability, scalability and manageability) of the OS for eight years and two full versions now. Microsoft executives know customers are better served by the newer versions.

"This was not intended by Microsoft to be a broad extension to the NT 4 lifecycle. NT 4's lifecycle is ending at the end of 2004," Peter Houston, senior director for Windows service-ability, told Redmond magazine in December. "This service is designed for those customers that are larger and simply need more time to migrate."

A Sliding Scale

The history of Microsoft's Windows NT 4.0 support policies is a story of deadlines and extensions.

December 2001
Microsoft lays out its first NT 4 support policy. Mainstream support is to end Dec. 31, 2002. Fee-based support is extended through Dec. 31, 2003. Security and online support scheduled to end Dec. 31, 2004.

October 2002
Microsoft introduces a comprehensive lifecycle support policy, but NT 4 is not included. Microsoft offers a concession by canceling fees for extended NT 4 support.

January 2003
Microsoft pushes out its extended support deadline a year, to Dec. 31, 2004. Again, no fees.

July 2004
A consortium of IT departments at financial firms discloses Microsoft will offer NT 4 custom support contracts to large customers. The contracts, which guarantee access to hotfixes for "critical" security problems, run through Dec. 31, 2005.

December 2004
Microsoft extends the custom support contracts through Dec. 31, 2006, and guarantees hotfixes for "important" as well as "critical" security problems.

The NT Server contracts are based on a flat fee, paid quarterly, and are designed for customers with hundreds or thousands of Windows NT 4
machines, Houston said, although he declined to discuss exact terms. The contracts are modeled after those forWindows NT 4.0 Workstation that Microsoft began negotiating as that client operating system neared its end
on the Microsoft support lifecycle, on June 30, 2004.

As with the workstation custom contracts, customers must have a plan in place for migrating to Windows 2000 or Windows Server 2003 in order to qualify. Analysts at Gartner have publicly pegged the cost of the custom contracts for Windows NT 4.0 Workstation in the range of $200,000—out of range for all but those with the largest of IT budgets.

Even if it's not an extension of the lifecycle in Microsoft's eyes, the company is committing developers, test machines, floor space, administrative help and other resources to the effort of identifying, prioritizing and fixing Windows NT 4.0 bugs for two full years after it had hoped to be done with the OS.

Still, the new policy does amount to an unintended support extension for smaller customers. While critical and important fixes for Windows NT 4.0 will only go to large customers under custom contracts, Microsoft will make fixes available to all customers in cases of critical vulnerabilities for which exploit code, worms or other malware are available to attackers. "We feel very strongly that in the event that a virus or a worm emerges that threatens the stability of the Internet, that we need to act broadly and quickly," Houston says.

That means small shops with Windows NT boxes will be protected against the very worst new flaws until the end of 2006.

Still, don't use this de facto support extension as an excuse to do nothing about upgrading from NT.